From: sashiko-bot@kernel.org
To: "Zide Chen" <zide.chen@intel.com>
Cc: linux-perf-users@vger.kernel.org
Subject: Re: [PATCH 7/7] perf/x86/intel/uncore: Implement lazy setup for MSR/MMIO PMU
Date: Thu, 14 May 2026 05:38:18 +0000 [thread overview]
Message-ID: <20260514053819.14E82C2BCB7@smtp.kernel.org> (raw)
In-Reply-To: <20260512233048.9577-8-zide.chen@intel.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Local parameter modification in uncore_cpu_mmio_init fails to clear global uncore arrays on error, leading to a guaranteed kernel crash (Use-After-Free/NULL dereference) on partial initialization failure.
--
commit 27fb6ccf46a9e646f34ac7d3e4098f98a775ed6f
Author: Zide Chen <zide.chen@intel.com>
perf/x86/intel/uncore: Implement lazy setup for MSR/MMIO PMU
This commit updates MSR and MMIO uncore PMUs to use a lazy registration
model. The PMUs are registered when the first box is successfully
initialized and unregistered when the last box exits. Box allocation and
freeing remain at module init/exit time.
> diff --git a/arch/x86/events/intel/uncore.c b/arch/x86/events/intel/uncore.c
> index b9b901b789d15..c6fe7864a4977 100644
> --- a/arch/x86/events/intel/uncore.c
> +++ b/arch/x86/events/intel/uncore.c
[ ... ]
> -static int __init uncore_cpu_init(void)
> -{
> - int ret;
> -
> - ret = uncore_types_init(uncore_msr_uncores);
> - if (ret)
> - goto err;
> -
> - ret = uncore_msr_pmus_register();
> - if (ret)
> - goto err;
> - return 0;
> -err:
> - uncore_types_exit(uncore_msr_uncores);
> - uncore_msr_uncores = empty_uncore;
> - return ret;
> -}
[ ... ]
> +static int __init uncore_cpu_mmio_init(struct intel_uncore_type **types)
> {
> int ret;
>
> ret = uncore_types_init(types);
> + if (!ret)
> + return 0;
>
> + uncore_types_exit(types);
> + types = empty_uncore;
Does this error path effectively clear the global uncore arrays?
Since types is passed by value, assigning types = empty_uncore only updates
the local parameter. The global variables like uncore_msr_uncores or
uncore_mmio_uncores are left pointing to structures that were just cleaned
up by uncore_types_exit().
If intel_uncore_init() experiences a partial failure, it can still proceed
to register CPU hotplug callbacks. This synchronously triggers
uncore_event_cpu_online() which iterates over the global arrays:
intel_uncore_init()
uncore_cpu_mmio_init()
cpuhp_setup_state()
uncore_event_cpu_online()
allocate_boxes()
Could this access freed structures and result in a use-after-free or NULL
pointer dereference since the global array was not cleared?
> return ret;
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260512233048.9577-1-zide.chen@intel.com?part=7
prev parent reply other threads:[~2026-05-14 5:38 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-12 23:30 [PATCH 0/7] perf/x86/intel/uncore: PMU setup robustness fixes Zide Chen
2026-05-12 23:30 ` [PATCH 1/7] perf/x86/intel/uncore: Rename refcount fields and other cleanups Zide Chen
2026-05-13 0:26 ` Ian Rogers
2026-05-14 0:58 ` sashiko-bot
2026-05-14 19:06 ` Chen, Zide
2026-05-12 23:30 ` [PATCH 2/7] perf/x86/intel/uncore: Let init_box() callback report failures Zide Chen
2026-05-13 0:23 ` Ian Rogers
2026-05-14 2:14 ` sashiko-bot
2026-05-12 23:30 ` [PATCH 3/7] perf/x86/intel/uncore: Keep PCI PMUs working when MMIO/MSR setup fails Zide Chen
2026-05-13 0:30 ` Ian Rogers
2026-05-12 23:30 ` [PATCH 4/7] perf/x86/intel/uncore: Factor out box setup code Zide Chen
2026-05-13 0:27 ` Ian Rogers
2026-05-14 3:34 ` sashiko-bot
2026-05-12 23:30 ` [PATCH 5/7] perf/x86/intel/uncore: Introduce PMU flags and broken state Zide Chen
2026-05-13 0:28 ` Ian Rogers
2026-05-14 4:27 ` sashiko-bot
2026-05-12 23:30 ` [PATCH 6/7] perf/x86/intel/uncore: Fix uncore_box ref/unref ordering on CPU hotplug Zide Chen
2026-05-13 0:32 ` Ian Rogers
2026-05-13 8:59 ` Mi, Dapeng
2026-05-13 18:43 ` Chen, Zide
2026-05-14 5:12 ` sashiko-bot
2026-05-12 23:30 ` [PATCH 7/7] perf/x86/intel/uncore: Implement lazy setup for MSR/MMIO PMU Zide Chen
2026-05-13 0:34 ` Ian Rogers
2026-05-13 9:03 ` Mi, Dapeng
2026-05-13 16:47 ` Chen, Zide
2026-05-14 5:38 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260514053819.14E82C2BCB7@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-perf-users@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=zide.chen@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.